Minimum Permissions Required for Account Used to Join Computers to a Domain During OS Deployment

This account can be used during either MDT Lite Touch deployments using MDT or Zero Touch Deployments via SCCM.

The account requires the following permissions delegated on the OU’s/domain required using the Delegation of Administration wizard or (as in this example) by directly changing the security on particular OUs within the domain.

The account SHOULD NOT be given “Domain Admins” privileges.

In this example I will use a domain account called “CM_DJ” (short for ConfigMgr Domain Join) which starts out with no special permissions other than being a member of “Domain Users”. The account should be restricted from logging into computers via a GPO using the “Allow log on locally” User Rights Assignment item.

In order to view the Security tab in Active Directory Users and Computers enable “View Advanced Features” from the view menu.

AdvancedFeatures

The bullet points below summarise what permissions are required during deployment activities:

  • Add/Remove new computers (“Bare Metal” scenarios)
  • Update existing ones (“Refresh” scenarios)

Open the security tab of the OU you want to give permissions on – this can be done at the domain level if required but for security reasons it is best to limit this to certain parts of Active Directory.

Right-Click the relevant OU and select Properties.

Navigate to the Security tab.

Click on “Advanced“.

Click on “Add” and browse to your account e.g. TESTLAB\CM_DJ (DomainName\JoinAccount)

Choose the following settings:

Choose “This object and all descendant objects

  • Create Computer Objects
  • Delete Computer Objects

ThisObjectAndAllDescendantObjects

Click “OK

Click “Add” again and once more select the “JoinAccount” user.

This time, limit the “Apply Onto” scope to “Descendant Computer objects” and choose the following settings:

  • Read All Properties
  • Write All Properties
  • Read Permissions
  • Modify Permissions
  • Change Password
  • Reset Password
  • Validated write to DNS host name
  • Validated write to service principle name

Perms1

Perms2

Once this has been done the “JoinAccount” (in this example TESTLAB\CM_DJ) will have the required permissions to add, modify and remove computer accounts in the locations you specify and nothing over and above that.

/ JC


## Edit 09/03/2017 ##

Updated to reflect the updated GUI in Windows Server 2012 and later.

## Edit 24/02/2015 ##

To automate this process, check out Johan Arwidmark’s blog where you can download a script that he and Mikael Nystrom wrote to automate the permissions required:

Script to Set AD Permissions for OSD

Advertisements
This entry was posted in Microsoft Deployment Toolkit (MDT), SCCM 2007 and tagged , , . Bookmark the permalink.

8 Responses to Minimum Permissions Required for Account Used to Join Computers to a Domain During OS Deployment

  1. Tony says:

    Thank you for this. I have been looking for minimal settings for hours now. Your page had exactly what i was looking for.

  2. I like the valuable information you supply to your articles.
    I will bookmark your weblog and take a look at once more right here frequently.
    I am relatively certain I’ll learn many new stuff proper right here! Good luck for the following!

  3. Jeff says:

    Pretty! This was an extremely wonderful article. Many thanks
    for supplying this info.

  4. Its like you read my mind! You appear to know a lot about
    this, like you wrote the book in it or something.
    I think that you could do with a few pics to drive the message home a little bit, but instead of that,
    this is wonderful blog. An excellent read. I’ll definitely be back.

  5. Olive says:

    You really make it seem so easy along with your presentation but I find this
    topic to be actually one thing which I think I might
    never understand. It sort of feels too complicated
    and extremely vast for me. I’m having a look ahead on your next publish, I will attempt to get the cling of it!

  6. Pingback: Permissions for MDT deployment account | Technology Librarian Does Stuff

  7. m88 says:

    Wow, that’s what I was seeking for, what a material! existing here at
    this blog, thanks admin of this site.

  8. Pingback: Using Citrix PVS to stream Linux VDA (RHEL 7 Workstation) | magicalyak

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s